#! /bin/bash

# (c) Thomas Lange, 2001-2013, lange@debian.org

error=0; trap 'error=$(($?>$error?$?:$error))' ERR # save maximum error code

ifclass XORG && {
    fcopy -M /etc/X11/xorg.conf
}

if ifclass -o UBUNTU PXEUBUNTU PXETRUSTY PANDA64; then
     groups="adm cdrom sudo dip plugdev lpadmin sambashare"
     $ROOTCMD addgroup --system lpadmin || true
     $ROOTCMD addgroup --system sambashare || true
fi
 
fcopy -m root,root,600 /etc/audit/auditd.conf
fcopy -m root,root,600 /etc/audit/audit.rules
fcopy /etc/zsh/zlogin
ainsl /etc/zsh/zprofile 'source /etc/profile'
#sed -i 's/^UMASK.*$/UMASK       077/' $target/etc/login.defs
#sed -i 's/^umask.*$/umask 077/' $target/etc/init.d/rc
#ainsl /etc/pam.d/common-session 'session optional pam_umask.so umask=077'
#Desktop can use usb and firewire storage
ifclass -o XORG GNOME_EL7 XFCE_EL7 KDE_EL7 DDE || ainsl -a /etc/modprobe.d/blacklist-storage.conf 'blacklist usb-storage'
ifclass -o XORG GNOME_EL7 XFCE_EL7 KDE_EL7 DDE || ainsl -a /etc/modprobe.d/blacklist-storage.conf 'blacklist firewire-ohci'
ifclass -o XORG GNOME_EL7 XFCE_EL7 KDE_EL7 DDE || ainsl -a /etc/modprobe.d/blacklist-storage.conf 'blacklist thunderbolt'

#ainsl -a /etc/modprobe.d/blacklist-storage.conf 'blacklist floppy'
ainsl -a /etc/modprobe.d/blacklist-pcspkr.conf 'blacklist pcspkr'
ainsl -a /etc/modprobe.d/blacklist-bluetooth.conf 'blacklist bluetooth'
if ifclass CENTOS7_64 ; then
    ainsl -a /etc/modprobe.d/ip_vs.conf 'options ip_vs conn_tab_bits=20'
else
    ainsl -a /etc/modprobe.d/ip_vs.conf 'options ip_vs conn_tab_bits=24'
fi
ainsl -a /etc/modprobe.d/ip_vs.conf 'options nf_conntrack hashsize=262144'

sed -i 's/^#fs.xfs/fs.xfs/' $target/etc/sysctl.conf

[ -n "$LOGSRV" ] && ainsl -a -q /etc/rsyslog.conf "*.*@$LOGSRV:514"
#sed -i 's/^#FSCKFIX.*$/FSCKFIX=yes/' $target/etc/default/rcS
#ainsl /etc/default/rcS 'umask 077'
sed -i 's/^for FILE.*$/for FILE in passwd group ; do/' $target/etc/cron.daily/passwd

#sed -i 's/^SHELL.*$/SHELL=\/bin\/zsh/' $target/etc/default/useradd
#sed -i 's/DSHELL.*$/DSHELL=\/bin\/zsh/' $target/etc/adduser.conf
# add  user account:hmuser

if ! $ROOTCMD getent passwd hmuser ; then
    $ROOTCMD adduser --disabled-login --gecos 'HUMAN USER' hmuser
    $ROOTCMD usermod -p '$1$.cWiG8mO$FXN7lZaghXxjZnhshvqfm/' hmuser
    for g in $groups; do
	$ROOTCMD adduser hmuser $g
    done
    $ROOTCMD adduser hmuser adm
    $ROOTCMD adduser hmuser sudo
    #sed -i '/^root/a\hmuser    ALL=(ALL:ALL) NOPASSWD:ALL' $target/etc/sudoers
fi

if ifclass PANDA64 ; then
#change to light weight window manager,then open dde-control-center, switch window effects on and off
#deepin-metacity --no-composite --replace
mkdir -p $target/home/hmuser/.config/deepin/deepin-wm-switcher
cat <<'EOF' > $target/home/hmuser/.config/deepin/deepin-wm-switcher/config.json
{
    "allow_switch": true,
    "last_wm": "deepin-metacity"
}
EOF
$ROOTCMD chown -R hmuser:hmuser /home/hmuser
fi

#ainsl -a /etc/ld.so.preload '/lib/snoopy.so'
sed -i 's/^LOAD_KEXEC.*$/LOAD_KEXEC=true/' $target/etc/default/kexec
sed -i 's/^USE_GRUB_CONFIG.*$/USE_GRUB_CONFIG=true/' $target/etc/default/kexec

ainsl /etc/ssh/ssh_config 'HashKnownHosts yes'
ainsl /etc/ssh/ssh_config 'Compression no'
ainsl /etc/ssh/ssh_config 'ServerAliveInterval 60'
ainsl /etc/ssh/ssh_config 'ServerAliveCountMax 2'
ainsl /etc/ssh/ssh_config 'ControlMaster auto'
ainsl /etc/ssh/ssh_config 'ControlPath /tmp/ssh_mux_%h_%p_%r'
ainsl /etc/ssh/ssh_config 'ControlPersist 1h'

sed -i 's/^PrintLastLog.*$/PrintLastLog yes/' $target/etc/ssh/sshd_config
sed -i 's/^PrintMotd.*$/PrintMotd yes/' $target/etc/ssh/sshd_config
sed -i 's/^X11Forwarding.*$/X11Forwarding no/' $target/etc/ssh/sshd_config
sed -i 's/^LogLevel.*$/LogLevel verbose/' $target/etc/ssh/sshd_config
sed -i 's/^UsePrivilegeSeparation.*$/UsePrivilegeSeparation sandbox/' $target/etc/ssh/sshd_config
ainsl /etc/ssh/sshd_config 'ClientAliveCountMax 10'
ainsl /etc/ssh/sshd_config 'AllowAgentForwarding no'
ainsl /etc/ssh/sshd_config 'Compression no'
ainsl /etc/ssh/sshd_config 'MaxAuthTries 5'
ainsl /etc/ssh/sshd_config 'AllowTcpForwarding no'
ainsl /etc/ssh/sshd_config 'UseDNS no'
ainsl /etc/ssh/sshd_config 'DebianBanner no'
sed -i 's/^.*pam_motd.so/#&/' $target/etc/pam.d/sshd
ainsl /etc/bash.bashrc 'force_color_prompt=yes'
for disk in $disklist
    do  ainsl /etc/sysfs.conf "block/$disk/queue/read_ahead_kb = 4096"
        ainsl /etc/sysfs.conf "block/$disk/queue/rq_affinity = 1"
        ainsl /etc/sysfs.conf "block/$disk/queue/write_cache = write\ back"
        ainsl /etc/sysfs.conf "block/$disk/queue/nr_requests = 2048"
done
#ainsl /etc/sysfs.conf 'kernel/mm/transparent_hugepage/enabled = never'
#ainsl /etc/sysfs.conf 'kernel/mm/ksm/run = 1'
#ainsl /etc/sysfs.conf 'kernel/mm/ksm/sleep_millisecs = 1000'
ainsl /etc/sysfs.conf 'fs/cgroup/memory/memory.use_hierarchy = 1'
ainsl /etc/sysfs.conf 'class/net/eth0/queues/rx-0/rps_cpus = f'
ainsl /etc/sysfs.conf 'class/net/eth0/queues/tx-0/xps_cpus = f'
ainsl /etc/sysfs.conf 'class/net/eth0/queues/rx-0/rps_flow_cnt = 4096'

#polkit can not work with hidepid=2
if ifclass -o XORG GNOME GNOME_EL7 XFCE_EL7 KDE KDE_EL7 DDE ; then
   ainsl /etc/fstab 'proc    /proc    proc    defaults     0     0'
else
   ainsl /etc/fstab 'proc    /proc    proc    defaults,hidepid=2     0     0'
fi

#ainsl /etc/fstab 'tmpfs   /dev/shm    tmpfs ro,noatime,nosuid,nodev,noexec  0   0'

#chmod 0711 $target/var/log
#chmod o-rwx $target/var/log/*
#chmod g-rwx $target/var/log/*
#setfacl -m g:adm:r-- $target/var/log/wtmp
sed -i 's/^\$FileCreateMode.*$/\$FileCreateMode 0600/' $target/etc/rsyslog.conf
sed -i 's/^\$DirCreateMode.*$/\$DirCreateMode 0711/' $target/etc/rsyslog.conf
#sed -i 's/^\$Umask.*$/\$Umask 0077/' $target/etc/rsyslog.conf
#sed -i 's/^# disable 10/disable 10/' $target/etc/naccttab
#sed -i 's/^iflimit/#iflimit/' $target/etc/naccttab
#sed -i 's/^ignoremask/#ignoremask/' $target/etc/naccttab
#sed -i 's/^#device/device/' $target/etc/naccttab
sed -i 's/pam_cracklib.so.*$/pam_cracklib.so retry=3 minlen=16 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/' $target/etc/pam.d/common-password

cat << EOM > $target/etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
#NIC tuning
#CentOS /sbin/ifup-local 
#ifconfig $NIC1 txqueuelen 10000
ip link set dev $NIC1 txqueuelen 10000
#Flow Control
ethtool -A $NIC1 tx off
ethtool -A $NIC1 rx off
#receive(RX) ring buffer size
#ethtool -G $NIC1 rx 1020
#interrupt coalescing
#ethtool -C $NIC1 rx-usecs 5
ethtool -K $NIC1 tso on
ethtool -K $NIC1 gso on
#ethtool -K $NIC1 ufo on
#ethtool -K $NIC1 lro on
ethtool -K $NIC1 gro on
exit 0
EOM
chmod +x $target/etc/rc.local

exit $error
